GraphQL — Common vulnerabilities & how to exploit them

+Bilal Rizwan
13 min readApr 4, 2020

Hello there! how you doin? , Bilal Rizwan here & I hope everyone is safe in this time of crisis and making complete use of your quarantined time to learn new things and expand your skill.

What is this post about ?
Many of you might have now seen GraphQL being used in a lot of web applications, some of you might have recognized right away that its graphql and probably tried searching for what you can do with it some might not have realized that the request is something called GraphQL request.
In this post I’ll try to highlight the common misconfigurations in the usage of GraphQL and how they can be exploited.

For those who don’t know what GraphQL is its request looks like this.

GraphQL sample request

It has some curly brackets and \n characters. If you see something like that then most likely its GraphQL.
Lets first start off by understanding what GraphQL actually is knowing this will help up better form exploits.

What is GraphQL ?

Well Simply put GraphQL is an alternative API standard like REST and SOAP. It is basically a Query language for APIs used to interact with the APIs and to fetch data from the backend through APIs. It can do everything REST API can but in a much more efficient and controlled way.
GraphQL solves a lot of the problems faced while using REST like fetching more data than it should or the need to have a new endpoint for every call.

The following example should clear the difference between GraphQL and REST API.

In REST API we would typically be using /users/<id>endpoint to fetch user data. Secondly, there’s likely to be a /users/<id>/posts endpoint that returns all the posts for a user. The third endpoint will then be the /users/<id>/followers that returns a list of followers per user

REST API functionality

In GraphQL however there is only one endpoint where we send a query which includes concrete data requirements the server then responds with the data requirements.
Suppose we want to fetch the user id’s from the system we…